Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
Cannot de-assign role through SCIM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 88%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGO%3C/text%3E%3C/svg%3E)
Gabriel Ostrolucký
0
Reputation points
We have set up provisioning according https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app
We tried all 3 functions that were mentioned: SingleAppRoleAssignment, AppRoleAssignmentsComplex, AssertiveAppRoleAssignmentsComplex
None of them seem to de-assign roles that Azure/Entra doesn't know about
Assuming target User has either admin/employee roles assigned in Azure/Entra:
SCIM server responds with
"roles": [
{
"value": "admin",
"display": "Admin",
"type": "COMPLIANCE_COCKPIT",
"primary": true
},
{
"value": "employee",
"display": "Employee",
"type": "INTEGRITY_HUB",
"primary": true
}
],
Given this mapping
Azure/Entra refuses to process the user:
Given other mapping, like so
Azure/Entra SCIM client attempts to always do PATCH ADD operation instead of replace/add+remove
"Operations":[{"op":"Add","path":"roles","value":[{"value":"admin"}]}
This means SCIM server doesn't know that it should drop the other role. This in effect means once user gets role assigned through application that's different than the one specified in Azure, you cannot revoke access through SCIM. Same issue is with all 3 functions, if target attribute is roles.
I found related issue at https://learn.microsoft.com/en-us/answers/questions/1163551/azure-scim-user-provision-sending-patch-with-add-o but answer there was that you simply do not support multi-value/complex custom attributes, while roles is not a custom attribute, it's a core SCIM attribute
Microsoft Security | Microsoft Entra | Other
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bandela Siri Chandana 3,075 Reputation points Moderator2024-10-30T14:00:00.5066667+00:00 Hi @Gabriel Ostrolucký
Thank you for reaching out. We are currently working on this and will update you shortly. -
Bandela Siri Chandana 3,075 Reputation points Moderator
2024-11-18T17:02:11.9466667+00:00 I understand you're encountering an issue with Azure AD/Entra handling SCIM-based role provisioning and de-provisioning, where roles assigned in the SCIM system aren't properly removed when updated, and the system always tries to add roles without considering existing ones. This can happen for various reasons related to how SCIM provisioning is handled by Azure AD/Entra, particularly when multi-value or complex attributes (like roles) are involved.
Azure AD/Entra provisioning typically expects either a
Replaceoperation or a combination ofAddandRemoveoperations for attributes that support multi-values (like roles). TheAddoperation alone does not remove or replace any previous values, which is why you're encountering the issue of old roles persisting.To resolve this issue, you need to ensure that SCIM provisioning operations explicitly specify the
ReplaceorAdd+Removeoperations for therolesattribute, rather than justAdd. This will allow Azure AD to process changes correctly and handle role de-provisioning.Thanks,
B. Siri Chandana.
Sign in to comment
Sign in to answer